A undetermined exploit which affects some Linksys WiFi routers is now being actively and massively exploited in the wild. The worm is being called “TheMoon”, cautions SANS senior instructor and ISC researcher Johannes Ullrich. The investigation began when a Wyoming-based ISP noticed that a number of its customers have had their Linksys routers and home networks damaged within the last couple of days.
“The routers, once compromised, scan port 80 and 8080 as fast as they can (saturating bandwidth available),” he went onto explain in a blog post, including that a few of the routers might have had their DNS configurations altered to point to Google’s DNS server.
Thus far, it would appear that the exploit does not work against Linksys’ E1200 routers with the most recent firmware, but E1000 routers are insecure, even when they may have the most recent firmware.
The worm, in addition to mass exploitation, tries to download a “second stage” executable, that features a pair of hard-coded netblocks and certain information for communicating with the C&C servers. Other files may also be downloaded.
Others have theorized that the remote command injection vulnerability might have been misused in the campaign. Also, the fact that routers’ DNS configurations are altered to help with MitM attacks, eventually resulting in financial theft.